Skip to main content

User management

Invite & import users

Invite & import users

Overview

There are several ways to maintain and manage the user list in Flexopus. This article outlines the supported methods for importing users into the system, which include:

  • Creating users with SAML2 SSO
  • Creating users with OAuth SSO
  • Provisioning users via the SCIM API
  • Provisioning users with Google Groups
  • Importing users via REST API
  • Importing users manually
  • Creating users manually

Create users with SAML2 SSO

You can connect your preferred identity provider to Flexopus via SAML2 for single sign-on (SSO). This allows users from identity providers such as Microsoft Azure, AD FS, Google, Okta, Ping, etc., to log in using their existing credentials for authentication.

Once Flexopus is connected with SAML2, you can control which users are allowed to log in through your identity provider. Upon the user's first successful login, their profiles are automatically created in Flexopus using attributes like UPN, email, and name. This eliminates the need to manually add users one by one.

Additionally, you can disable email and password-based login, forcing users to log in through SSO. Access to Flexopus can also be revoked directly in your identity provider if needed.

Learn more about SAML2 integrations:

SAML2 for a custom provider
Which Identity Providers are supported for SAML2? Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any Identity Providers that follows the SAML2 standard. Flexopus acts as a Service Provider. Therefore, you can try to connect your Identity Provider, even if we do not provide
Help CenterDaniel Fafula

We created a step-by-step instruction manual for the most commonly used Identity Providers as well:

Azure Active Directory SAML2 SSO
Introduction To connect Flexopus with your Entra Active Directory (formerly known as Azure Active Directory) via a SAML2 Single Sign-On (SSO) integration: 1. Manage User Access: Through your Active Directory, control which users have access to Flexopus, requiring them to log in using their Microsoft AD credentials. 2. User Profile
Flexopus Help CenterDaniel Fafula
Microsoft AD FS SAML2 SSO
Introduction The Microsoft AD FS (Active Directory Federation Services) is an Identity Provider (IdP) developed by Microsoft to provide a Windows based self-hosted (on premise) version. You can connect an enterprise application over SAML2 to AD FS and manager, who can log in to view Single Sign On in the
Flexopus Help CenterDaniel Fafula
Google SAML2 SSO
Introduction Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2
Flexopus Help CenterDaniel Fafula
Keycloak SAML2 SSO
Introduction Connect Flexopus with Keycloak via a SAML2 for single sign on (SSO). With the integration, you can manage through your KeyCloak Directory which users should have access to Flexopus and force them to use their KeyCloak credentials for the login. Based on a SAML2 settings in Flexopus you can
Flexopus Help CenterDaniel Fafula
Okta SAML2 + SCIM
Introduction Connect Flexopus with Okta via SAML2 for Single Sign On. With the integration, you can manage which Okta users should have access to Flexopus and force them to use their Okta credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be
Flexopus Help CenterDaniel Fafula
Akamai SAML SSO
Introduction Connect Flexopus with Akamai via a SAML2 for single sign on (SSO). With the integration, you can manage through Akamai which users should have access to Flexopus and force them to use their Akamai credentials for the login. Based on a SAML2 settings in Flexopus you can let the
Flexopus Help CenterDaniel Fafula
Ping Identity SAML2 + SCIM
Introduction Connect Flexopus with Ping Identity via a SAML2 for single sign on (SSO). With the integration, you can manage through your Ping Identity which users should have access to Flexopus and force them to use their Ping credentials for the login. Based on a SAML2 settings in Flexopus you
Flexopus Help CenterDaniel Fafula
💡
Note: Connecting your identity provider for single sign on is a highly recommended way of handling your users in Flexopus.

Create users with OAuth SSO

You can connect Flexopus via OAuth SSO with providers like Google, Microsoft 365, and Webex. This offers a more flexible solution for single sign-on (SSO), allowing users to log in and have their profiles automatically created in Flexopus.

💡
Note: Please check if you can use SAML2 instead of the OAuth options for SSO login. With a SAML2 connection, you have greater control over which users are allowed to log in. In contrast, with OAuth SSO, control is limited to the domain level.

If you connect Flexopus with Google OAuth for single sign-on, this would initially allow all Google users worldwide to log in to your Flexopus instance. However, you can apply a domain-based filter to restrict access, ensuring that only users with a specific domain can log in. For example, you could enable login exclusively for Google users with a @flexopus.com email address.

Learn more about the supported OAuth connections:

Microsoft Office 365 OAuth SSO
Introduction You can activate an OAuth2.0-based Microsoft O365 Single Sign-On (SSO) in Flexopus. With Microsoft OAuth SSO, you essentially allow login access for all users with a Microsoft O365 account. You can then restrict access based on domain settings, determining which emails are allowed or not allowed to log
Flexopus Help CenterDaniel Fafula
Google OAuth SSO
Introduction You can activate an OAuth2.0 based Google Single Sign On in Flexopus. With this single sign on configuration, you basically allow login for all users in the world who have a Google account, and you can restrict based on their domain settings which emails can or can not
Flexopus Help CenterDaniel Fafula
Webex OAuth SSO
Introduction You can activate an OAuth2.0 based Webex Single Sign On at Flexopus. With the Webex OAuth SSO, you basically allow login for all users in the world who have a Webex account, and you can restrict based on their domain settings which emails can or can not log
Flexopus Help CenterDaniel Fafula

Provision users via the SCIM API

Some identity providers offer the option to provision users via the SCIM API. This allows you to automatically import users and groups into Flexopus, independent of their login attempts. With this method, user profiles can be created before the first login. Flexopus has implemented SCIM API v2, which is designed to work with any identity provider that also supports this version. This makes user provisioning seamless and efficient.

💡
Note: The SCIM API is usually used in combination with the SAML2 single sign on.

Due to our current knowledge, the following identity providers are supporting SCIM: Azure Active Directory, Okta, Ping Identity. We also created a step-by-step instruction manual on how to configure them:

Azure Active Directory SCIM API
Introduction You can integrate with Microsoft Azure Active Directory (Azure AD) via federated authentication or using SCIM (System for Cross-domain Identity Management), allowing users to log in to Flexopus using their existing Azure AD credentials. Flexopus can be linked to an instance of Microsoft Azure Active Directory (Azure AD) via
Flexopus Help Centerghost user
Okta SAML2 + SCIM
Introduction Connect Flexopus with Okta via SAML2 for Single Sign On. With the integration, you can manage which Okta users should have access to Flexopus and force them to use their Okta credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be
Flexopus Help CenterDaniel Fafula
Ping Identity SAML2 + SCIM
Introduction Connect Flexopus with Ping Identity via a SAML2 for single sign on (SSO). With the integration, you can manage through your Ping Identity which users should have access to Flexopus and force them to use their Ping credentials for the login. Based on a SAML2 settings in Flexopus you
Flexopus Help CenterDaniel Fafula

Provision users with Google Groups

💡
Note: Only for companies using Google Workspace as user directory.

To automatically create users, you can use the Google Groups integration in Flexopus. This integration allows you to synchronize groups and their associated users via the Google API. While Google does not offer the SCIM API, this integration serves as an equally effective alternative for provisioning users independently of their login attempts.

Learn more here:

Google Groups Sync
Why synchronize Google Groups? The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation. The synchronized groups
Flexopus Help CenterDaniel Fafula

Import users via REST API

As an alternative solution, you can also import users into Flexopus using our REST API. By sending a list of users via a dedicated endpoint, you can upload files in formats such as CSV, TXT, ODS, XLS, or XLSX.

In this article, you'll find instructions on how to generate an API token for this process:

Flexopus: REST API
Learn how to access Flexopus’s REST API to integrate your data and create custom solutions tailored to your needs.
Flexopus Help CenterDaniel Fafula

Here is the Flexopus API documentation:

Flexopus API Documentation

Use the following endpoint:

POST /api/v1/users/import

The endpoint uses the Bearer Token generated for authentication and accepts multipart data as input with the following parameters:

  • file <file> (required):
    The file containing the user list to be imported. Accepted file formats: CSV, TXT, ODS, XLS, and XLSX.
  • update <boolean> (default: false):
    Determines whether existing users should be updated.
  • deactivate <boolean> (default: false):
    Specifies whether users not present in the list should be deactivated.
  • restore <boolean> (default: false):
    Determines whether deactivated users present in the list should be reactivated.
💡
Note: The expected file structure and an example file are described in more detail within the application. To access this information, go to Dashboard > Users > Import / Export.

Here is an example using the curl program. This example will.

  • Deactivate every user not present in the users.csv file.
  • Create every user present in the users.csv file but not already in the system.
  • Update and (if deactivated) re-activate every user present in both the users.csv file and the system.
curl https://<your-domain>.flexopus.com/api/v1/users/import \
    -H "Accept: application/json" \
    -H "Authorization: Bearer <your-token>" \
    -F "file=@./users.csv" \
    -F "update=1" \
    -F "deactivate=1" \
    -F "restore=1" \
    -F "dry_run=0"

The endpoint returns JSON data in the following format:

{
  "dryRun": false,         // dry_run flag from the request
  "created": [2, 3],       // row indices for freshly created users
  "updated": [4, 6],       // row indices for updated users
  "deleted": 0,            // the number of deleted users
  "skipped": [5, 8],       // row indices for unchanged users
  "errors": [7],           // indices for rows with errors
  "errorMessages": {       // object with messages for every error
    "7": {                     // row index of error
      "email": [                   // column with error
        "The email must be a valid email address." // error message
      ]
    }
  },
  "rows": 7,              // total number of processed rows
  "filename": "users.csv" // name of the uploaded file
}

Import users manually

As an administrator, you can also upload users into Flexopus manually on the dashboard. Navigate to Dashboard > Users > Import / Export.

First, download one of the provided import templates as an Excel file XLSX or as a CSV file. Alternatively, you can also export all existing users and edit them by using the export function.

Download example file

To import the updated file, a file upload can be found at the bottom of the page.

Upload file and set upload parameters
💡
Note: If you have updated attributes of existing users, also activate the Update existing users option. This will overwrite the data of existing users and not skip them.

The following file formats are accepted: CSV, ODS, XLSX, XLS. After the upload, the application will validate the file. In case the file or the file entries are invalid, you will get an error message.

Upload errors

Create users manually

You can also create and invite users manually in Flexopus, though this is the least recommended method as it requires the most effort and is not optimized. Before proceeding with this option, consider using one of the other methods mentioned to maintain the user base more efficiently.

To create a user manually, follow these steps:

  1. As an administrator, navigate to Dashboard > Users > All Users.
  2. Click on the Add User button.
  3. Enter the user's name and email address.
  4. Optionally, you can send an invitation message to the user.

It's advisable to explore other options before using this method to save time and resources.

Create user manually
💡
Note: If you have disabled email and password-based authentication for your instance, the manually created user will need to use SSO for login. This makes manual user creation unnecessary in most cases.

Once a user is created, their email address will remain unverified. The user can set a password either through the welcome email or by visiting the login page and requesting a password reset email.